aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Changelog2
-rw-r--r--tests/list1
-rw-r--r--tests/snippets/dovecot/dovecot.ecdsa.crt11
-rw-r--r--tests/snippets/dovecot/dovecot.ecdsa.key5
l---------tests/tls-rsa+ecdsa/interimap.remote1
-rw-r--r--tests/tls-rsa+ecdsa/remote.conf5
-rw-r--r--tests/tls-rsa+ecdsa/t49
7 files changed, 74 insertions, 0 deletions
diff --git a/Changelog b/Changelog
index e400b37..ddc4695 100644
--- a/Changelog
+++ b/Changelog
@@ -9,6 +9,8 @@ interimap (0.5.3) upstream;
- libinterimap: 'null-stderr' is now ignored when the 'debug' flag is
set (the standard error is never sent to /dev/null).
- test suite: use a RSA certificate rather than ECDSA.
+ - test suite: new test with a server offering both RSA+ECDSA
+ certificates. This test requires dovecot-imapd 2.2.31 or later.
-- Guilhem Moulin <guilhem@fripost.org> Tue, 08 Dec 2020 15:58:22 +0100
diff --git a/tests/list b/tests/list
index db77f50..0ad86e4 100644
--- a/tests/list
+++ b/tests/list
@@ -51,6 +51,7 @@ split-set Split large sets to avoid extra-long command lines
tls SSL/TLS handshake
... tls-verify-peer
tls-pin-fingerprint pubkey fingerprint pinning
+ tls-rsa+ecdsa pubkey fingerprint pinning for hybrid RSA+ECDSA
tls-protocols force TLS protocol versions
. Live synchronization (60s)
diff --git a/tests/snippets/dovecot/dovecot.ecdsa.crt b/tests/snippets/dovecot/dovecot.ecdsa.crt
new file mode 100644
index 0000000..b928d4d
--- /dev/null
+++ b/tests/snippets/dovecot/dovecot.ecdsa.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBkjCCATmgAwIBAgIUWyEAqMhQ0uRLtagXgm68bUypQa4wCgYIKoZIzj0EAwIw
+HzEdMBsGA1UEAwwUSW50ZXJJTUFQIHRlc3Qgc3VpdGUwHhcNMjAxMjA5MTQwOTUy
+WhcNMzAxMjA3MTQwOTUyWjAfMR0wGwYDVQQDDBRJbnRlcklNQVAgdGVzdCBzdWl0
+ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFP7A0ivFsHK/WuCQzz+WWh2jBLO
+7uqhWSMh+1cc//jmn2q910XNH3xVFNkIRo7ddg6X8twli3OvC66/YIbxiTyjUzBR
+MB0GA1UdDgQWBBS/p0mJpdBjKpNrQ/t+oJMrehS7wzAfBgNVHSMEGDAWgBS/p0mJ
+pdBjKpNrQ/t+oJMrehS7wzAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cA
+MEQCIFMlTb7E92tElIueK8TxbllJ3NOaMb1TMjSScM38N8oOAiAiNI4AkESnimPN
+IOsdnydFYjOkDEhzpXbrBEcP3EgJuQ==
+-----END CERTIFICATE-----
diff --git a/tests/snippets/dovecot/dovecot.ecdsa.key b/tests/snippets/dovecot/dovecot.ecdsa.key
new file mode 100644
index 0000000..dfbd4a7
--- /dev/null
+++ b/tests/snippets/dovecot/dovecot.ecdsa.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgleLchaikcJbUnkps
+4ITR6FGkW2S2+S+w2ISJSsvgt0ehRANCAART+wNIrxbByv1rgkM8/llodowSzu7q
+oVkjIftXHP/45p9qvddFzR98VRTZCEaO3XYOl/LcJYtzrwuuv2CG8Yk8
+-----END PRIVATE KEY-----
diff --git a/tests/tls-rsa+ecdsa/interimap.remote b/tests/tls-rsa+ecdsa/interimap.remote
new file mode 120000
index 0000000..daf3741
--- /dev/null
+++ b/tests/tls-rsa+ecdsa/interimap.remote
@@ -0,0 +1 @@
+../tls/interimap.remote \ No newline at end of file
diff --git a/tests/tls-rsa+ecdsa/remote.conf b/tests/tls-rsa+ecdsa/remote.conf
new file mode 100644
index 0000000..72ca135
--- /dev/null
+++ b/tests/tls-rsa+ecdsa/remote.conf
@@ -0,0 +1,5 @@
+!include conf.d/imapd.conf
+!include conf.d/ssl.conf
+
+ssl_alt_cert = <conf.d/dovecot.ecdsa.crt
+ssl_alt_key = <conf.d/dovecot.ecdsa.key
diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t
new file mode 100644
index 0000000..29352e9
--- /dev/null
+++ b/tests/tls-rsa+ecdsa/t
@@ -0,0 +1,49 @@
+doveconf_remote() {
+ doveconf -c "$HOME_remote/.dovecot/config" -hx "$1"
+}
+pkey_sha256() {
+ openssl x509 -pubkey | openssl pkey -pubin -outform DER \
+ | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}"
+}
+x509_sha256() {
+ openssl x509 -noout -fingerprint -sha256 \
+ | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]"
+}
+
+PKEY_SHA256="$(doveconf_remote ssl_cert | pkey_sha256)"
+X509_SHA256="$(doveconf_remote ssl_cert | x509_sha256)"
+PKEY_ALT_SHA256="$(doveconf_remote ssl_alt_cert | pkey_sha256)"
+X509_ALT_SHA256="$(doveconf_remote ssl_alt_cert | x509_sha256)"
+
+# pinned valid fingerprints
+cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
+ SSL_fingerprint = sha256\$$PKEY_SHA256 sha256\$$PKEY_ALT_SHA256
+EOF
+
+for ((i = 0; i < 32; i++)); do
+ u="$(shuf -n1 -e "local" "remote")"
+ sample_message | deliver -u "$u"
+done
+interimap_init
+check_mailbox_status "INBOX"
+
+interimap --debug || error
+# which peer certificate is used is up to libssl
+grep -Fx -e "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" \
+ -e "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" \
+ <"$STDERR" || error
+
+# force RSA (XXX do we really have to force TLSv1.2 here?)
+cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
+ SSL_protocols = TLSv1.2
+ SSL_cipherlist = EECDH+AESGCM+aRSA
+EOF
+interimap --debug || error
+grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
+
+# force ECDSA
+sed -i "s/^SSL_cipherlist\\s*=.*/SSL_cipherlist = EECDH+AESGCM+aECDSA/" "$XDG_CONFIG_HOME/interimap/config"
+interimap --debug || error
+grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" <"$STDERR" || error
+
+# vim: set filetype=sh :